Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe
-
Size
120KB
-
MD5
ace2ab64a72c562987c51cedb4043fa0
-
SHA1
4a9c6171e466bbfb84ce033be9f5ede5ab8be572
-
SHA256
9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4
-
SHA512
3b7181190f08ab2b33f9cbdcffb7bfcbe42f159db550a17df00e0602ae63934a20067ea7d72d6f284689150aaf27f732086511201874867740d33ec6f14b355f
-
SSDEEP
1536:R0hMXWBuWCKUY9m1oBQG5Fz1KqSjxVVR8k4wUe0M6zEjz0cZ44mjD9r823F4:5ljf+gqSNn4wH76Bi/mjRrz3C
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qododfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iknpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pclhdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeggbbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaqbln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkbbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cblfdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdkcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlbgikia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baigca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpabcbdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfogake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopokehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifmbmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphecepe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioakoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meicnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaijak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdmhbplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbohehoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpjjeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imleli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehdan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkffng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clalod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcfhkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poklngnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibckfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heealhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqjmncna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfmddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnlkjd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2488 Nofdklgl.exe 2704 Neplhf32.exe 2672 Oebimf32.exe 2460 Odhfob32.exe 484 Oomjlk32.exe 1844 Ohendqhd.exe 2124 Oancnfoe.exe 1608 Ogkkfmml.exe 3012 Oqcpob32.exe 2664 Ocalkn32.exe 2508 Pkidlk32.exe 496 Pfbelipa.exe 2144 Pgbafl32.exe 2152 Pmojocel.exe 2296 Pjbjhgde.exe 2212 Pkdgpo32.exe 1756 Pdlkiepd.exe 1724 Pndpajgd.exe 608 Qngmgjeb.exe 300 Qbbhgi32.exe 1744 Qkkmqnck.exe 2448 Abeemhkh.exe 1624 Akmjfn32.exe 1892 Amnfnfgg.exe 1572 Agdjkogm.exe 2764 Ajbggjfq.exe 2676 Ackkppma.exe 2692 Ajecmj32.exe 1708 Aaolidlk.exe 700 Acmhepko.exe 2912 Ajgpbj32.exe 1184 Aijpnfif.exe 2356 Amelne32.exe 2892 Blkioa32.exe 2552 Bnielm32.exe 1388 Bbgnak32.exe 1516 Bjbcfn32.exe 2148 Behgcf32.exe 2088 Baohhgnf.exe 2016 Bhhpeafc.exe 1528 Bmeimhdj.exe 1524 Cilibi32.exe 1552 Cdanpb32.exe 2000 Cphndc32.exe 864 Cbgjqo32.exe 1728 Ciqcmiei.exe 868 Clooiddm.exe 2800 Conkepdq.exe 2792 Clalod32.exe 2884 Candgk32.exe 2696 Cielhh32.exe 920 Dldhdc32.exe 2720 Daqamj32.exe 1944 Dlfejcoe.exe 2160 Dkiefp32.exe 780 Deojci32.exe 380 Ddajoelp.exe 2780 Dkkbkp32.exe 2072 Dnjngk32.exe 1308 Daejhjkj.exe 2584 Dgbcpq32.exe 2064 Djqoll32.exe 1704 Ddfcje32.exe 1128 Dnnhbjnk.exe -
Loads dropped DLL 64 IoCs
pid Process 2956 9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe 2956 9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe 2488 Nofdklgl.exe 2488 Nofdklgl.exe 2704 Neplhf32.exe 2704 Neplhf32.exe 2672 Oebimf32.exe 2672 Oebimf32.exe 2460 Odhfob32.exe 2460 Odhfob32.exe 484 Oomjlk32.exe 484 Oomjlk32.exe 1844 Ohendqhd.exe 1844 Ohendqhd.exe 2124 Oancnfoe.exe 2124 Oancnfoe.exe 1608 Ogkkfmml.exe 1608 Ogkkfmml.exe 3012 Oqcpob32.exe 3012 Oqcpob32.exe 2664 Ocalkn32.exe 2664 Ocalkn32.exe 2508 Pkidlk32.exe 2508 Pkidlk32.exe 496 Pfbelipa.exe 496 Pfbelipa.exe 2144 Pgbafl32.exe 2144 Pgbafl32.exe 2152 Pmojocel.exe 2152 Pmojocel.exe 2296 Pjbjhgde.exe 2296 Pjbjhgde.exe 2212 Pkdgpo32.exe 2212 Pkdgpo32.exe 1756 Pdlkiepd.exe 1756 Pdlkiepd.exe 1724 Pndpajgd.exe 1724 Pndpajgd.exe 608 Qngmgjeb.exe 608 Qngmgjeb.exe 300 Qbbhgi32.exe 300 Qbbhgi32.exe 1744 Qkkmqnck.exe 1744 Qkkmqnck.exe 2448 Abeemhkh.exe 2448 Abeemhkh.exe 1624 Akmjfn32.exe 1624 Akmjfn32.exe 1892 Amnfnfgg.exe 1892 Amnfnfgg.exe 1572 Agdjkogm.exe 1572 Agdjkogm.exe 2764 Ajbggjfq.exe 2764 Ajbggjfq.exe 2676 Ackkppma.exe 2676 Ackkppma.exe 2692 Ajecmj32.exe 2692 Ajecmj32.exe 1708 Aaolidlk.exe 1708 Aaolidlk.exe 700 Acmhepko.exe 700 Acmhepko.exe 2912 Ajgpbj32.exe 2912 Ajgpbj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eligcnhi.dll Ghajacmo.exe File created C:\Windows\SysWOW64\Gedjkeaj.dll Iliebpfc.exe File created C:\Windows\SysWOW64\Bjbcfn32.exe Bbgnak32.exe File created C:\Windows\SysWOW64\Jliflphb.dll Leopgo32.exe File created C:\Windows\SysWOW64\Mmkehj32.dll Lpgajgeg.exe File created C:\Windows\SysWOW64\Hdhlfoln.dll Bejfao32.exe File opened for modification C:\Windows\SysWOW64\Eeohkeoe.exe Epbpbnan.exe File opened for modification C:\Windows\SysWOW64\Oehklddp.exe Ocjophem.exe File created C:\Windows\SysWOW64\Jajjnjlc.dll Cfeepelg.exe File opened for modification C:\Windows\SysWOW64\Lddlkg32.exe Lbfook32.exe File created C:\Windows\SysWOW64\Dkiefp32.exe Dlfejcoe.exe File created C:\Windows\SysWOW64\Ookpodkj.exe Ohagbj32.exe File created C:\Windows\SysWOW64\Cefkjiak.dll Gfejjgli.exe File created C:\Windows\SysWOW64\Ogqhpm32.dll Offmipej.exe File opened for modification C:\Windows\SysWOW64\Chfbgn32.exe Cfeepelg.exe File opened for modification C:\Windows\SysWOW64\Fpoolael.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Ogjknh32.dll Hmkeke32.exe File opened for modification C:\Windows\SysWOW64\Nmkncofl.exe Mioabp32.exe File created C:\Windows\SysWOW64\Pojbkh32.exe Phpjnnki.exe File opened for modification C:\Windows\SysWOW64\Elldgehk.exe Eniclh32.exe File opened for modification C:\Windows\SysWOW64\Nfnneb32.exe Npdfhhhe.exe File opened for modification C:\Windows\SysWOW64\Cmjdaqgi.exe Cjlheehe.exe File opened for modification C:\Windows\SysWOW64\Hgbfnngi.exe Hahnac32.exe File opened for modification C:\Windows\SysWOW64\Kklkcn32.exe Kgqocoin.exe File created C:\Windows\SysWOW64\Hjphijco.dll Ajgpbj32.exe File created C:\Windows\SysWOW64\Lpgajgeg.exe Lgpiij32.exe File opened for modification C:\Windows\SysWOW64\Alihaioe.exe Qgmpibam.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Niehmp32.dll Candgk32.exe File created C:\Windows\SysWOW64\Mmhamoho.exe Mjjdacik.exe File created C:\Windows\SysWOW64\Hnaldfli.dll Epbfmd32.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Nbjeinje.exe File created C:\Windows\SysWOW64\Lbcbjlmb.exe Lnhgim32.exe File created C:\Windows\SysWOW64\Hhpgpebh.exe Gmjcblbb.exe File created C:\Windows\SysWOW64\Jpfhoi32.exe Jjmpbopd.exe File created C:\Windows\SysWOW64\Mhonngce.exe Meabakda.exe File opened for modification C:\Windows\SysWOW64\Doecog32.exe Dlfgcl32.exe File created C:\Windows\SysWOW64\Gfhnop32.dll Ddblgn32.exe File created C:\Windows\SysWOW64\Dgbcpq32.exe Daejhjkj.exe File opened for modification C:\Windows\SysWOW64\Nkhdkgnj.exe Neklbppb.exe File created C:\Windows\SysWOW64\Opnhdoap.dll Dakmfh32.exe File created C:\Windows\SysWOW64\Qododfek.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Gmkkhgfk.dll Ffnbaojm.exe File opened for modification C:\Windows\SysWOW64\Jkpbdq32.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Qffhlolm.dll Eknmhk32.exe File opened for modification C:\Windows\SysWOW64\Mcjhmcok.exe Mqklqhpg.exe File created C:\Windows\SysWOW64\Bgoime32.exe Bbbpenco.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Ehakigbo.exe Efcomkcl.exe File opened for modification C:\Windows\SysWOW64\Pnopldgn.exe Pkacpihj.exe File created C:\Windows\SysWOW64\Picanc32.dll Cemjae32.exe File created C:\Windows\SysWOW64\Bgeogj32.dll Ejkkfjkj.exe File opened for modification C:\Windows\SysWOW64\Hmalldcn.exe Hjcppidk.exe File created C:\Windows\SysWOW64\Eijdkcgn.exe Eeohkeoe.exe File opened for modification C:\Windows\SysWOW64\Ddnfop32.exe Dmdnbecj.exe File created C:\Windows\SysWOW64\Fpkbeabf.dll Fffefjmi.exe File created C:\Windows\SysWOW64\Bfdmobkp.dll Mjkndb32.exe File opened for modification C:\Windows\SysWOW64\Qgmfchei.exe Qdojgmfe.exe File created C:\Windows\SysWOW64\Bflbhgjm.dll Cfcijf32.exe File created C:\Windows\SysWOW64\Nbjeinje.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Ajpepm32.exe Acfmcc32.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Cemjae32.exe Bbonei32.exe File created C:\Windows\SysWOW64\Hpdqdddf.dll Jkbojpna.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9132 9096 WerFault.exe 877 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gligjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Findhdcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkndb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjcblbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbqdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbopmnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcomhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacpffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdaqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khabghdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmecgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpiij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjnak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkidlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfonkfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpbdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deojci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoonjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfeepelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmibgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfedqagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkpijma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpgconp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlndnacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkcdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Candgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgajgeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnojacgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohendqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhjlbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngjeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddblgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopkjhko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofdklgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmegncpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjjmijme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejdjfjb.dll" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kopokehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chiimh32.dll" Mcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mioabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjoofhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkefga32.dll" Gmjcblbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aapemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dinklffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdefbe32.dll" Djqoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paefhp32.dll" Fcdopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmpn32.dll" Jhjphfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knakol32.dll" Melifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afjjed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdcifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdldnomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqlebf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnifgpff.dll" Kgpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejop32.dll" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgompkk.dll" Eklqcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekjgpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcbk32.dll" Ljghjpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnadk32.dll" Lkfddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iahhgnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qododfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eamilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kljabgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" Ohendqhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anahqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keacocpm.dll" Enkpahon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkaghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdonaop.dll" Pkljdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqkfc32.dll" Hphidanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjqpdje.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2488 2956 9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe 30 PID 2956 wrote to memory of 2488 2956 9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe 30 PID 2956 wrote to memory of 2488 2956 9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe 30 PID 2956 wrote to memory of 2488 2956 9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe 30 PID 2488 wrote to memory of 2704 2488 Nofdklgl.exe 31 PID 2488 wrote to memory of 2704 2488 Nofdklgl.exe 31 PID 2488 wrote to memory of 2704 2488 Nofdklgl.exe 31 PID 2488 wrote to memory of 2704 2488 Nofdklgl.exe 31 PID 2704 wrote to memory of 2672 2704 Neplhf32.exe 32 PID 2704 wrote to memory of 2672 2704 Neplhf32.exe 32 PID 2704 wrote to memory of 2672 2704 Neplhf32.exe 32 PID 2704 wrote to memory of 2672 2704 Neplhf32.exe 32 PID 2672 wrote to memory of 2460 2672 Oebimf32.exe 33 PID 2672 wrote to memory of 2460 2672 Oebimf32.exe 33 PID 2672 wrote to memory of 2460 2672 Oebimf32.exe 33 PID 2672 wrote to memory of 2460 2672 Oebimf32.exe 33 PID 2460 wrote to memory of 484 2460 Odhfob32.exe 34 PID 2460 wrote to memory of 484 2460 Odhfob32.exe 34 PID 2460 wrote to memory of 484 2460 Odhfob32.exe 34 PID 2460 wrote to memory of 484 2460 Odhfob32.exe 34 PID 484 wrote to memory of 1844 484 Oomjlk32.exe 35 PID 484 wrote to memory of 1844 484 Oomjlk32.exe 35 PID 484 wrote to memory of 1844 484 Oomjlk32.exe 35 PID 484 wrote to memory of 1844 484 Oomjlk32.exe 35 PID 1844 wrote to memory of 2124 1844 Ohendqhd.exe 36 PID 1844 wrote to memory of 2124 1844 Ohendqhd.exe 36 PID 1844 wrote to memory of 2124 1844 Ohendqhd.exe 36 PID 1844 wrote to memory of 2124 1844 Ohendqhd.exe 36 PID 2124 wrote to memory of 1608 2124 Oancnfoe.exe 37 PID 2124 wrote to memory of 1608 2124 Oancnfoe.exe 37 PID 2124 wrote to memory of 1608 2124 Oancnfoe.exe 37 PID 2124 wrote to memory of 1608 2124 Oancnfoe.exe 37 PID 1608 wrote to memory of 3012 1608 Ogkkfmml.exe 38 PID 1608 wrote to memory of 3012 1608 Ogkkfmml.exe 38 PID 1608 wrote to memory of 3012 1608 Ogkkfmml.exe 38 PID 1608 wrote to memory of 3012 1608 Ogkkfmml.exe 38 PID 3012 wrote to memory of 2664 3012 Oqcpob32.exe 39 PID 3012 wrote to memory of 2664 3012 Oqcpob32.exe 39 PID 3012 wrote to memory of 2664 3012 Oqcpob32.exe 39 PID 3012 wrote to memory of 2664 3012 Oqcpob32.exe 39 PID 2664 wrote to memory of 2508 2664 Ocalkn32.exe 40 PID 2664 wrote to memory of 2508 2664 Ocalkn32.exe 40 PID 2664 wrote to memory of 2508 2664 Ocalkn32.exe 40 PID 2664 wrote to memory of 2508 2664 Ocalkn32.exe 40 PID 2508 wrote to memory of 496 2508 Pkidlk32.exe 41 PID 2508 wrote to memory of 496 2508 Pkidlk32.exe 41 PID 2508 wrote to memory of 496 2508 Pkidlk32.exe 41 PID 2508 wrote to memory of 496 2508 Pkidlk32.exe 41 PID 496 wrote to memory of 2144 496 Pfbelipa.exe 42 PID 496 wrote to memory of 2144 496 Pfbelipa.exe 42 PID 496 wrote to memory of 2144 496 Pfbelipa.exe 42 PID 496 wrote to memory of 2144 496 Pfbelipa.exe 42 PID 2144 wrote to memory of 2152 2144 Pgbafl32.exe 43 PID 2144 wrote to memory of 2152 2144 Pgbafl32.exe 43 PID 2144 wrote to memory of 2152 2144 Pgbafl32.exe 43 PID 2144 wrote to memory of 2152 2144 Pgbafl32.exe 43 PID 2152 wrote to memory of 2296 2152 Pmojocel.exe 44 PID 2152 wrote to memory of 2296 2152 Pmojocel.exe 44 PID 2152 wrote to memory of 2296 2152 Pmojocel.exe 44 PID 2152 wrote to memory of 2296 2152 Pmojocel.exe 44 PID 2296 wrote to memory of 2212 2296 Pjbjhgde.exe 45 PID 2296 wrote to memory of 2212 2296 Pjbjhgde.exe 45 PID 2296 wrote to memory of 2212 2296 Pjbjhgde.exe 45 PID 2296 wrote to memory of 2212 2296 Pjbjhgde.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe"C:\Users\Admin\AppData\Local\Temp\9d3ff928f49c64f20889bd4586ff58367b96d1ea491bf30785e855a03fb318c4N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe33⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe34⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe35⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe36⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe38⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe39⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe40⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe41⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe42⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe43⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe44⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe45⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe46⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe47⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe48⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe49⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Candgk32.exeC:\Windows\system32\Candgk32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe52⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe53⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe56⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe58⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe60⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe62⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe64⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe65⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe66⤵PID:2228
-
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe67⤵PID:2020
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe68⤵PID:2984
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe69⤵PID:2788
-
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe70⤵PID:264
-
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe71⤵PID:2108
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe73⤵PID:3060
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe74⤵PID:2540
-
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe75⤵PID:2928
-
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe76⤵PID:2276
-
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe77⤵PID:2548
-
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe78⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe79⤵PID:2272
-
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe80⤵PID:1992
-
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe81⤵PID:1684
-
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe82⤵PID:296
-
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe84⤵PID:2840
-
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe85⤵PID:1564
-
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe86⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe87⤵PID:860
-
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe88⤵PID:2656
-
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe89⤵PID:2896
-
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe90⤵PID:2880
-
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe91⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe92⤵PID:2204
-
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe93⤵PID:2268
-
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe94⤵PID:1060
-
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe95⤵PID:1784
-
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe96⤵PID:2612
-
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe97⤵PID:2224
-
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe98⤵PID:2644
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe99⤵PID:2740
-
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe100⤵PID:2908
-
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe101⤵PID:528
-
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe102⤵PID:2904
-
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe103⤵PID:856
-
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe104⤵PID:2300
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe105⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe107⤵PID:2408
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe109⤵PID:880
-
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe110⤵PID:2900
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe111⤵PID:1660
-
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe112⤵PID:2044
-
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe113⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe114⤵PID:1680
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe115⤵PID:1896
-
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe117⤵PID:2036
-
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe118⤵PID:1132
-
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe120⤵PID:2560
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe121⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-